CVE-2026-47084 in Cyrus IMAPinfo

Summary

by MITRE • 07/16/2026

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability exists within the Cyrus IMAP server implementation where the LOCALDELETE command fails to properly enforce access control list checks. This represents a critical privilege escalation flaw that allows authenticated users to bypass normal permission controls and execute administrative functions against mailboxes they should not have access to. The issue affects versions through 3.12.2 and demonstrates a fundamental failure in the server's authorization mechanism.

This security gap stems from improper validation of user permissions when processing the LOCALDELETE command, which is designed as an administrative function but can be invoked by regular authenticated users without proper ACL verification. The flaw enables unauthorized mailbox deletion operations that should only be permitted for administrators or users with explicit write permissions on target mailboxes. From a cybersecurity perspective, this vulnerability directly violates the principle of least privilege and represents a classic access control bypass scenario.

The operational impact of this vulnerability is substantial as it allows malicious or compromised regular users to delete mailboxes containing sensitive information without proper authorization. This could result in data loss, disruption of services, and potential compliance violations depending on the nature of the deleted mailbox contents. The vulnerability affects organizations relying on Cyrus IMAP for email services where user privilege separation is critical for maintaining data integrity and security posture.

From a threat modeling standpoint, this vulnerability aligns with attack patterns described in the MITRE ATT&CK framework under privilege escalation techniques, specifically targeting the execution of administrative commands through improper access control. The flaw also relates to CWE-285 which addresses improper authorization scenarios in software systems. Organizations should immediately implement mitigations including upgrading to patched versions of Cyrus IMAP, reviewing and tightening ACL configurations, and implementing monitoring for unauthorized LOCALDELETE command usage.

The recommended remediation strategy involves applying the official patches released by the Cyrus IMAP development team to address this specific access control bypass. Additionally, system administrators should conduct comprehensive reviews of existing mailbox permissions and implement enhanced logging mechanisms to detect unauthorized use of administrative commands. Network segmentation and privileged access management controls should be strengthened to limit potential exploitation impact while monitoring for any suspicious deletion activities that may indicate attempted abuse of this vulnerability.

Responsible

MITRE

Reservation

05/18/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!